Salesforce has issued a warning to its customers regarding a new campaign launched by the infamous ShinyHunters cybercrime group, which is centered around data theft and extortion.

Since mid-2025, ShinyHunters has been actively targeting Salesforce instances across various organizations through social engineering tactics and other methods.

The group was responsible for numerous incidents reported last year, resulting in the compromise and leak of millions of data records.

Salesforce clarified that these data breaches stemmed from phishing attacks, misuse of third-party integrations, or misconfigurations, rather than any vulnerabilities within its products or systems.

In a blog post dated March 7, Salesforce alerted customers about the ongoing attacks that leverage misconfigurations or publicly accessible sites.

“We have identified a campaign in which malicious actors are exploiting customers’ overly permissive Experience Cloud guest user configurations to potentially access more data than targeted organizations intended,” Salesforce stated.

Salesforce emphasized that the security of its platform remains intact and that the current issues are due to customer-configured guest user settings, not any inherent flaws in its security architecture.

The company also noted that the threat actor has taken advantage of a modified version of an open-source tool called Aura Inspector, originally created by Mandiant for auditing Salesforce Aura instances and detecting data exposures.

“While the original Aura Inspector is limited to identifying vulnerable objects by probing API endpoints exposed by these sites (specifically the /s/sfsites/aura endpoint), the actor has developed a custom version of the tool that goes beyond merely identifying vulnerabilities to actually extracting data by exploiting overly permissive guest user settings,” Salesforce explained.

Although Salesforce has not officially named the responsible threat actor, the ShinyHunters group has claimed responsibility for the attacks, asserting that they have targeted “several hundreds of companies” in a campaign termed the ‘Salesforce Aura Campaign’.

The cybercriminal organization has threatened to release information stolen from Salesforce instances if their extortion demands are not met.

Related Developments:

In addition to this incident, other companies have confirmed data breaches, notably Wynn Resorts, which reported a breach after hackers removed data from a leak site. Furthermore, there has been an expansion and escalation of ShinyHunters-branded extortion activities.

Prior to this, hackers have been known to extort Salesforce after stealing data from dozens of customers, highlighting the increasing risks associated with third-party integrations and misconfigurations.

Overall, this alarming trend underscores the critical importance of cybersecurity practices within organizations, particularly regarding the management of user permissions and configurations.

Source: SecurityWeek News